TrickMo Android Trojan Uses TON Blockchain for Covert C2

Recent threat intelligence reports indicate a significant evolution in the infrastructure of the TrickMo Android banking Trojan. According to BleepingComputer, researchers from Zimperium have identified a new variant that leverages The Open Network (TON) blockchain to facilitate C2 communications. This shift marks a transition from traditional web-based or Telegram-hosted control channels toward a more decentralized and resilient architecture designed to circumvent detection by standard network security controls.

Analysis of TrickMo C2 Communication via TON Blockchain

The integration of the TON blockchain serves as a primary method for the malware to retrieve its actual C2 server address dynamically. By querying specific smart contracts or transactions on the TON network, TrickMo can identify current operational infrastructure without hardcoding IP addresses or domains that are easily blocked by SIEM or firewall solutions. This TTP is increasingly popular among malware developers seeking to create censorship-resistant botnets. By utilizing decentralized protocols, the attackers ensure that even if individual servers are taken down, the infected devices can still locate the new command nodes via the blockchain ledger.

Technical Delivery and Exploitation Mechanisms

TrickMo typically reaches victims through Phishing campaigns that lure users into installing malicious Android Package (APK) files. These files are often disguised as essential updates, such as browser security patches or tax-related applications. Once installed, the malware requests permission to use Android Accessibility Services. If granted, the malware gains the ability to monitor the screen, capture keystrokes, and interact with other applications on the user’s behalf.

Security professionals must understand how to detect TrickMo Android malware behavior, which often involves identifying unauthorized attempts to enable Accessibility Services or unusual background network traffic directed toward known TON gateway APIs. The malware uses these permissions to implement HTML overlays—fake login screens that appear over legitimate banking apps—to harvest credentials and multi-factor authentication tokens. Furthermore, the malware can intercept and delete SMS messages, allowing it to bypass one-time password (OTP) protections without the user’s knowledge.

Advanced Malware Capabilities

Beyond credential harvesting, this variant of TrickMo includes remote access features via Virtual Network Computing (VNC). This allows threat actors to perform Lateral Movement across personal and professional accounts if the device is used for work purposes. The malware also features IoC generation through extensive data exfiltration, including contact lists, device metadata, and photos.

Mitigation and Detection Strategies

Defenders should prioritize mobile endpoint visibility to counter these threats. Since TrickMo relies heavily on social engineering and permission abuse, a Zero Trust approach to mobile device management is recommended.

• Restrict Sideloading: Disable the “Install from Unknown Sources” setting across all corporate-managed Android devices.
• Monitor Accessibility Services: Use EDR solutions for mobile to alert the SOC when an application requests high-risk permissions, particularly Accessibility Services.
• Network Filtering: Block known TON gateway domains and monitor for unexpected blockchain-related traffic originating from mobile segments.
• User Education: Conduct training to help users recognize fake update prompts, which remain the primary vector for initial compromise.

By mapping these activities to the MITRE ATT&CK framework, specifically under techniques such as T1418 (Software Discovery) and T1516 (Input Injection), organizations can better align their defensive posture against the ongoing evolution of Android-based financial threats.